03.04.20

Techrights Urges Readers to Ask the Linux Foundation’s Let’s Encrypt (Backed by Companies That Give the NSA Back Doors) Some Hard But Legitimate Questions

Posted in GNU/Linux, Security at 3:43 am by Dr. Roy Schestowitz

Logo of Let's Encrypt

Summary: It’s not impossible that the bug in Let’s Encrypt was introduced by a rogue insider, if not someone further up above; Let’s Encrypt must address critical questions or be widely seen as a compromised, untrustworthy CA

JUST like the Linux Foundation, Let’s Encrypt is using Microsoft GitHub for their site and for their code. So much for security, eh? It’s owned by Microsoft, possibly the NSA’s closest partner. But putting that aside, today’s certificates avalanche led us to discovering that the Foundation's executive who came there from James Clapper's office has left the Foundation (she vanished from the management's page). It’s likely just a coincidence, but bringing that up isn’t crazy. We wrote about half a dozen articles already about how the Linux Foundation works for ‘surveillance capitalism’ and the ‘security state’. It’s a matter of public record and it’s easily provable using basic open source intelligence (OSINT).

At work last night, I actually had to step in for clients and urgently change certificates (to avert downtime of critical services). The fiasco is starting to show up in more of the media (but not much of it so far).

We have some facts. For instance, it is clear that somebody changed the code and we don’t know when exactly. This article explains that “Let’s Encrypt explained on Tuesday [less than a day early] it had to revoke the 3 million certificates because of a CAA bug that impacted the way its software checked domain ownership before issuing certificates.”

Here’s what they told the writer: “Josh Aas, executive director of Let’s Encrypt, said in a statement to Threatpost, “A bug was introduced in our code during a feature flag update. Under certain conditions, this bug caused us to skip a check that we are required to perform before issuing a certificate. We determined that the bug affected about 3 million, or about 2.6 percent, of our active certificates. Unfortunately, we need to revoke these certificates, which we will be doing within the compliance timeline set forth by the Baseline Requirements.””

According to this, “Let’s Encrypt will be revoking 3,048,289 currently-valid certificates” (notice how they’re contradicting themselves with the numbers).

“As part of the rules for this feature,” it adds, “authorities must check CAA records at most 8 hours before a certificate is issued.”

Also: “With only 24 hours to renew their certificates, many users are scrambling to get them done and some are running into issues.”

Yes, I should know. This caused much alarm where I work. It’s a fiasco.

We urge readers to ask Let’s Encrypt the following questions (maybe more, maybe less)

  • When did you find out about this bug?
  • Why was it not there before?
  • Which worker is responsible for this bug?
  • When was this worker hired?
  • Is this worker still working for you?
  • Why were the certificates all revoked so fast?
  • Why was this barely announced to the public? Should the Foundation not shout from the rooftops to avert disasters (as opposed to saving face)?
  • Were particular parties/stakeholders informed well in advance?
  • Were government entities informed in advance (in the name of “national security”) and, if so, how long in advance?

The E-mail address to reach them on: security@letsencrypt.org

Alternative/additional E-mail: press@letsencrypt.org

Please share their answers, if any, with us.

If they fail to even respond to these questions, that will not inspire confidence, will it?

Remember Gemalto?

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

This post is also available in Gemini over at:

gemini://gemini.techrights.org/2020/03/04/lets-ask-lets-encrypt/

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New

  1. IRC Proceedings: Wednesday, May 12, 2021

    IRC logs for Wednesday, May 12, 2021

  2. Andrew Lee of Private Internet Access/London Trust Media Increasingly Owns and Controls Freenode

    The details about Freenode ownership and control are explained in a resignation letter urging users to move to another network

  3. [Meme] eBPF is Not Microsoft's, But It's Certainly Googlebombed by Microsoft

    eBPF isn't Microsoft's. But sites that work closely with Microsoft keep mentioning that term as if Microsoft created it and champions it (typical tactics).

  4. Links 13/5/2021: OpenSUSE Leap 15.3 on Finer Hardware, AMI Dabbling in Free Firmware

    Links for the day

  5. The EPO's War on Justice and Assault on the Law -- Part 3: The Current Line-up

    The composition of the Enlarged Board for case no. G 1/21

  6. System76’s First Keyboard Packs in Plenty of Surprises

    Putting the genie back in the bottle is hard, and moreover the corrective post from Joey Sneddon may cause a bit of a 'Streisand Effect'

  7. Links 12/5/2021: HAProxy Data Plane API 2.3 and Mousepad 0.5.5

    Links for the day

  8. IBM is Destroying Red Hat, Squeezing Red Hat's Work for Cash, Laying Off Staff, and Asking Staff to Resign

    Layoffs are not a new thing at IBM (hardly so in the past couple of decades or more), but they're oversensitive about the Red Hat agenda

  9. [Meme] Longing for the Original IP Kat...

    It would be nice to see more posts critical of injustice at the EPO, as we've just noted

  10. The EPO's War on Justice and Assault on the Law -- Part 2: Just Another Pro Forma Rubber-Stamping Exercise?

    Half a decade after Benoît Battistelli ‘kidnapped’ and then defamed judges (it started in 2014) António Campinos has done nothing to restore lawfulness at the EPO, as controversial referral case G 1/21 shows; in fact, they recently approved European software patents after pressure from Campinos himself

  11. Why I'm Using Just a Landline and Recalling My Richard Stallman (RMS) Interview on Working Locally or How the Signal Processor in Phones is a De Facto Back Door

    A longer-than-expected rant about what mobile phones have turned into and a look back at (or listen to) what Richard Stallman (RMS) told me way back in 2013

  12. The European Campinos Award

    The campinos (peasants) of Europe shall gather around for another ceremony championing farmers and nurses... or not

  13. Personal Thoughts About the EPO 'Kangaroo Court' Scandal

    Some unscripted and unedited thoughts about the current EPO scandal/series, which shows intervention such as stacking by António Campinos, continuing the tradition of Benoît Battistelli with his attacks on justice itself

  14. Doing Justice by Reporting Injustice

    Europe's second-largest institution, helped by Europe's largest, is engaging in a massive attack on the very concept of the Rule of Law and incredibly enough the so-called 'press' (or 'media') doesn't report on it

  15. IRC Proceedings: Tuesday, May 11, 2021

    IRC logs for Tuesday, May 11, 2021

  16. Links 12/5/2021: New Audacity and Musescore Owner Named, Microsoft May Lose "JEDI" (Trump's 'Bailout Package')

    Links for the day

  17. The EPO's War on Justice and Assault on the Law -- Part 1: Rumours of a Kangaroo Court at EPOnia

    EPO's President Benoît Battistelli viciously attacked judges and slandered judges; António Campinos adopts a more 'soft power' approach, but nevertheless the impact is the same

  18. Bill Gates Exposed

    While publishers like ZDNet worked hard (on Microsoft's budget) to distract us from real scandals many nefarious things were happening; are we witnessing the fall of Gates?

  19. Welcome to ZDNet's 'Linux' Section...

    ZDNet, which defamed RMS to help distract from Bill Gates scandals, is doing what the sponsors (IBM, Microsoft, Linux Foundation) pay for

  20. Europe's Second-Largest Institution, the EPO, is Partly Based in the United States

    The EPO has outsourced its operations, including its 'courts', to the United States; this seems to be the so-called 'New Normal'

  21. You Look for Linux News and Instead It's Microsoft Noise and Openwashing

    Imagine trying to go about doing your own 'business', only to be confronted by paid-for plugs (sponsored) by the people trying to undercut/undermine your business; welcome to "Linux" in 2021

  22. Links 11/5/2021: Maui 1.2.2 and Tor Releases

    Links for the day

  23. The Next Generation of Free Software (or Software Freedom) Activism, Tackling Newer Problems

    New challenges as labour rights and human rights are further eroded, thanks to 'high' 'tech' with its very 'innovative' 'features'

  24. Mass Litigation Over the Salary Adjustment Procedure (SAP), Basically an Attack on All EPO Staff, Even EPO Pensioners

    “Importance of a binding and unambiguous erga omnes declaration” stressed by staff representatives of the EPO in a new letter to Benoît Battistelli‘s successor of choice, António Campinos, who has done nothing so far except attacking (or robbing) EPO staff, even EPO pensioners

  25. EPO 'Dialogue' With Staff Representatives is as Dead as 'Dialogue' With the Union

    “Yet another failure of social [sic] dialogue [sic] for Mr Campinos,” according to staff representatives, who rightly bemoan the Office president not giving a damn about staff; things quickly deteriorate in Europe’s second-largest institution, which does even worse things than granting loads of illegal European software patents (harming software producers and users alike)

  26. The FSF Needs to Reject OSI (and Open Source) Along With Much-Needed Rejection of the GNOME Foundation (Not the Same as the GNOME Project)

    Response to a good little speech (unscripted apparently) by Geoffrey Knauth, who explained his position on Open Source about a year ago

  27. Links 11/5/2021: Bodhi Linux 6.0, Coreboot 4.14, and DragonFly BSD 6.0

    Links for the day

  28. IRC Proceedings: Monday, May 10, 2021

    IRC logs for Monday, May 10, 2021

  29. Keynote by FSF President Geoff Knauth and Executive Director John Sullivan

    To quote the source: “FSF president Geoff Knauth became the president of the FSF in 2020, but has served on the FSF board of directors for over twenty years. FSF executive director John Sullivan started work with the FSF in 2003, and has never stopped since, with past roles including the FSF’s first Campaigns Manager and later the Manager of Operations.”

  30. Richard Stallman on Companies That Are “Only Pretending to be American Companies”

    Dr. Richard Stallman, the Free Software Foundation's founder, speaks about US politics being captured and dominated by large and multinational corporations in pursuit of just money and power

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts